Most modern automobiles operate via the correct functioning of various discrete electronic control units (ECUs), sensors, and/or actuators that communicate over one or more in-vehicle automobile networks (e.g., Controller Area Networks (CANs) and FlexRay Networks). Traditional automobile networks have been broadcast networks, and traditional automobile-network messages have generally not included source or destination addresses. Instead of using source or destination addresses, transmitting nodes have generally used unique identifiers to label the automobile-network messages that they broadcast and the data that the messages contain. As such, each node that is connected to a traditional automobile network will generally (1) receive each automobile-network message that is broadcast over the automobile network and (2) be required to decide whether to act upon or ignore the received messages based on the messages' identifiers.
Traditionally, automobile-network nodes have been designed to trust the automobile-network messages that they receive. However in recent years, researchers and malicious attackers have begun to find various ways to cause an automobile to perform unexpected and/or undesired actions by (1) connecting to the automobile's automobile networks (e.g., via a diagnostic port located under the dash of the automobile or a compromised automobile-network node that has wireless communication capabilities) and by broadcasting malicious automobile-network messages over the automobile network. For example, by broadcasting malicious automobile-network messages over an automobile's automobile network, an attacker may be able to cause the automobile to misreport its speed, apply its brakes, turn its steering wheel, or even shut down. Accordingly, the instant disclosure identifies and addresses a need for additional and improved systems and methods for detecting anomalous messages in automobile networks.